Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix(controller/targets): authorize-session should allow h_ ids #1853

Merged
merged 2 commits into from
Feb 10, 2022
Merged

fix(controller/targets): authorize-session should allow h_ ids #1853

merged 2 commits into from
Feb 10, 2022

Conversation

justenwalker
Copy link
Contributor

The targets controller previously only allowed hosts from a static catalog
since it checked for the ID subtype from the static package.

This change validates host ids with the plugin.Subtype as well

Fixes: #1850

@justenwalker
fix(controller/targets): authorize-session should allow h_ ids
bc57ef1 
The targets controller previously only allowed hosts from a static catalog
since it checked for the ID subtype from the static package.

This change validates host ids with the plugin.Subtype as well

Fixes: hashicorp#1850
@talanknight talanknight self-requested a review February 10, 2022 17:04
talanknight
talanknight previously approved these changes Feb 10, 2022
View reviewed changes
Copy link
Contributor

@talanknight talanknight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the fix!
Currently our target_service test doesn't cover specifying the host id when authorizing a session so I'll submit a seperate fast follow up PR to this one which adds regression tests.

@justenwalker
Copy link
Contributor Author

justenwalker commented Feb 10, 2022
edited
Loading

Thank you for the fix! Currently our target_service test doesn't cover specifying the host id when authorizing a session so I'll submit a seperate fast follow up PR to this one which adds regression tests.

Hi @talanknight -- I have an update coming which should add a regression test for this case - I can push it to this PR if you're interested

diff --git a/internal/servers/controller/handlers/targets/tcp/target_service_test.go b/internal/servers/controller/handlers/targets/tcp/target_service_test.go
index 6424d9b8..0d90f182 100644
--- a/internal/servers/controller/handlers/targets/tcp/target_service_test.go
+++ b/internal/servers/controller/handlers/targets/tcp/target_service_test.go
@@ -2776,6 +2776,12 @@ func TestAuthorizeSession(t *testing.T) {
                        assert.NotEmpty(t, cmp.Diff(asRes1.GetItem().GetCredentials(), asRes2.GetItem().GetCredentials(), protocmp.Transform()),
                                "the credentials aren't unique per request authorized session")

+                       _, err = s.AuthorizeSession(ctx, &pbs.AuthorizeSessionRequest{
+                               Id:     tar.GetPublicId(),
+                               HostId: asRes2.GetItem().GetHostId(),
+                       })
+                       require.NoError(t, err, "session must authorize with explicit host ID")
+
                        wantedHostId := tc.wantedHostId
                        if tc.wantedHostId == "?" {
                                wantedHostId = asRes2.GetItem().GetHostId()

@justenwalker
test: cover authorize-session with host id
56a51f9 
Add a regression test to cover the case where an explicit host ID was
given when calling AuthorizeSession
@talanknight
Copy link
Contributor

Adding that regression test would be wonderful. Thank you!

@justenwalker
Copy link
Contributor Author

Adding that regression test would be wonderful. Thank you!

Sure thing. Pushed for your review.

talanknight
talanknight approved these changes Feb 10, 2022
View reviewed changes
Copy link
Contributor

@talanknight talanknight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@talanknight talanknight merged commit bd30ff4 into hashicorp:main Feb 10, 2022
@justenwalker justenwalker deleted the justen/fix-1850 branch February 12, 2022 23:04
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@talanknight talanknight talanknight approved these changes

Assignees
No one assigned
Labels
core/servers core
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

boundary connect's -host-id flag expects the hst_ prefix instead of the actual h_ one
2 participants
@justenwalker @talanknight